At first i thought that memory forensic is a black magic. Whenever i try to watch someone do memory forensic they do this kinda weird and exotic command to dump the memory and walaaa they got the source of infection. i was like whatttttt the hell is happening ʕʘ̅͜ʘ̅ʔ.
So rather than staying here babbling about how hard is memory forensic why not try it !
in these post i'm going to do memory forensic analysis with infamous LIME framework from volatility.
Before we go to the cool stuff let me explain you briefly about what is memory forensic. Simple enough memory forensic is a process acquiring and analysis of volatile data(RAM). Expert use memory forensic to identify the attack source or malware infection.
That's enough for the theory, lets go to the fun stuff(if you want to know more about memory forensic just google it you dumb dumb!)
we are going to run an application, dump the memory from the android and try to analyze it(Maximum EFFORT !!!!). OKAY! before you do exercise i must warn you that the android virtual machine that i use is based on ARM architecture not X86. PLEASE! check your android architecture using "droidhardware" application.
There are some checklist you need to prepare:
1. the standalone binary of volatility(link: https://www.volatilityfoundation.org/releases), i suggest that you choose the Linux distribution.
2. Download official github repository of the python wrapper for volatility. This post was inspire by the following github repository(link: https://github.com/devopscrazy/AndroidForensics)
3. extract the standalone binary zip to the androidforensic directory.
4. make some changes of the androidforensic.py script file. this file is responsible to operating the LIME framework make sure you change the variable of the script based on your environment.
1. I change the path_to_android_sdk variable based on my environment setup, i stored the android sdk at opt directory.
2. I change the emulator name because i already make one emulator called "droidbox"
3. I change the path of volatility executable because in the original script the volatility binary is only can run in macOS environment.
We are ready to go! first start the emulator:
wait for a moment and after that you will be served with fresh emulator loaded by the tools. If the emulator is ready move to installing the application we want to analyze(In this post i will use the eicar_safe.apk that i created from the previous post). Put it in the "myapp" directory in order to be loaded and deploy the app.
After you done deploy the app lets start interacting with the application just put some random command inside the application in order to be executed.
now after the application is executed lets dump the memory using LIME inside the tools. if you ever get this error "failed to copy remote Read-only filesystem" while dumping the memory use the following command to make the sdcard writable:
$./adb shell
$su
mount -o rw,remount rootfs /
chmod 777 /mnt/sdcard
exit(link: https://stackoverflow.com/questions/2083709/android-emulator-sdcard-push-error-read-only-file-system)
this may take a while depend on the size of the memory inside the emulator(just wait patiently). So this is the problem!
i try to run volatility to extract the process memory of the dump. But unfortunately i just encounter bug when volatility try to read the limeaddresspace.
i try to read some post about this bug but no resolution to this problem. I'll try next time in a mean time. Any thoughts guys how to resolve this bug ?
Thank you
Please tell which kernel module have you used, as LIME doesnot work otherwise . we must load a kernel module.. We are working for obtaining a dump of memory but we are failing as no kernel module is loading ..
ReplyDeleteYour help is highly appreciated..